VHost/IP-Mismatch may allow for access to unintended VHosts

[Daniel Kahn Gillmor]

​imported from mantis:

Due to a problem with the way VHost configurations are matched to the connection it is possible that on a configuration with multiple IPs (e.g. IPv4/IPv6 or multiple IPv4) an attacker could issue a request on one IP address of the server which requests a VHost that should only be available on a different (possibly private) IP address.

Additional Information

1. Create two VHosts on different IPs.
   • VHost A on IP1
   • VHost B on IP2

2. Open a connection to IP1 requesting a domain only available on IP2 (e.g. B)

Expected

Default Fallback VHost of IP1

Actual

Some random matching VHost configuration for the domain even if mismatching the IP.

Note that in order to get a configuration of the wrong IP it's enough to have a VHost for Domain A on IP2 as well as IP1 (e.g. the IPv4/IPv6 Dual Stack case). That's also how I noticed this misbehaviour.

[Daniel Kahn Gillmor]

benbe said:

If my tests where correct (OpenSSL s_client didn't like IPv6 and GnuTLS-cli didn't like being told the exact SNI header to send ...) I couldn't convince mod_gnutls to send VHosts differing from those configured on the webserver for the IP I was connecting to. Due to the various bugs in OpenSSL s_client and gnutls-cli I couldn't verify this holds true for the Host header sent when the TLS session is established though. But given the VHost selection with Wildcard Aliasing being fixed too this issue should not be exploitable anymore.

dash said:

According to BenBE [reporter] this seems not exploitable in /trunk.

[Daniel Kahn Gillmor]

I'd like to see a test written for this, though.